Langgenius Dify Password Reset Vulnerability Allowing Unauthorized Password Changes

A vulnerability in Langgenius Dify version 0.10.1 allows attackers to reset the passwords of any users, including administrators, through the '/forgot-password/resets' endpoint. The issue arises because the endpoint fails to verify the password reset code, enabling unauthorized password changes and potentially leading to a complete compromise of the application.

Impact

Exploitation of this vulnerability allows for unauthorized password resets, leading to account takeovers, including those of administrative users.

Reproduction

To reproduce this vulnerability, request a password reset for any user by entering their email address. After sending the request, extract the token from the URL of the response. Then, send a POST request to the '/console/api/forgot-password/resets' endpoint, including the extracted token, the email address of the user whose password is to be reset, and the new password details. This will reset the password for the specified user, regardless of the email used, as long as the token is valid.